v2.3.3

Multi-group support and OpenTofu compatibility

Features

• Multi-group support: -g/--group/--groups now accepts comma-delimited values, e.g. -g dev,live. Each group's tfvars file is loaded in order. Closes #41.
• OpenTofu compatibility: All terraform binary invocations now use ${TERRAFORM_BIN:-terraform}. Set TERRAFORM_BIN=tofu to use OpenTofu as a drop-in replacement.

Full Changelog: v2.3.1...v2.3.3

v2.3.2

Multi-group support

The -g/--group flag (also --groups) now accepts comma-delimited values, e.g. -g dev,live, loading each group's tfvars file in order before environment-specific vars.

• IFS-safe parsing via read -ra
• Safe under set -uo pipefail with empty input
• Groups are loaded in specified order, after global/region vars but before environment vars

Closes #41.

Full Changelog: v2.3.1...v2.3.2

v2.3.1

Backport downstream improvements to lambda, s3bucket, and cognito modules

Features

• Lambda: Replaced external data source + Node.js script with native aws_lambda_layer_version for CloudWatch Lambda Insights
• Lambda: Added ADOT OpenTelemetry layer support
• Lambda: Added SSM Parameters & Secrets extension layer support
• Lambda: Added memory usage CloudWatch alarm
• Lambda: Error alarm now supports percentage-based thresholds
• Lambda: Added destroy-time placeholder handling for S3 function source
• Cognito: SMS IAM role and configuration gated on sms_enabled variable
• Cognito: Added software_token_mfa_configuration support
• Cognito: Extracted ui_customisation as standalone variable
• Cognito: Added generate_secret variable for cognito user pool client
• Cognito: Added callback_urls variable with app_fqdn fallback
• Cognito: Added user_pool_domain_ready output
• terraform.sh: Added edge lambda logging support

Bug Fixes

• Lambda: Added length guards on S3 bucket/key/version references during destroy
• Cognito: Fixed recovery mechanism priority ordering
• Cognito: Fixed trailing whitespace

Chores

• S3bucket: Removed deprecated expected_bucket_owner from accelerate, CORS, and encryption configs
• S3bucket: Fixed lifecycle_configuration_id output
• S3bucket: Uncommented ownership_controls output
• Lambda: Removed external provider dependency (and ~63K lines of bundled Node.js)
• Regenerated terraform-docs READMEs

Full Changelog: v2.3.0...v2.3.1

v2.3.0

2.3.0 (24/04/2026)

BREAKING CHANGES:

• Shebang changed from #!/bin/bash to #!/usr/bin/env bash for portability.
• set -uo pipefail now enforced across all scripts. Unbound variable access
  will now cause failures rather than silent empty expansion.
• Bootstrap tag keys changed from capitalised (tfscaffold:Environment) to
  lowercase (tfscaffold:environment) for consistency with module conventions.

FEATURES:

• error_and_die now accepts an optional second argument for custom exit codes.
• TF_VAR_aws_account_id and TF_VAR_environment are now exported automatically,
  making them available to Terraform without explicit variable passthrough.
• S3 backend configuration now always includes encrypt = true.
• S3 backend configuration now injects profile when AWS_PROFILE is set,
  enabling named profile support for state access.
• Remote dynamic tfvars now supports multiple files: all *.tfvars and
  *.tfvars.json files under the environment's S3 prefix are downloaded,
  replacing the previous single dynamic.tfvars pattern.
• New output action for standalone terraform output retrieval, with optional
  JSON file output support.
• IAM role module now supports sts:ExternalId conditions via optional
  external_id field on trusted principals.
• SNS module now supports content_based_deduplication for FIFO topics.
• Lambda module now supports reserved_concurrent_executions.

BUG FIXES:

• Fixed unquoted variable expansions throughout terraform.sh (~20 instances),
  including two HIGH-severity rm commands inside trap statements.
• Fixed set -u safety: all declare statements now initialised, empty array
  access guarded, and ${AWS_DEFAULT_REGION:-} defaulted.
• Fixed cognito module access_token_validity default key typo:
  validity corrected to value.
• Fixed KMS module alias variable default from string "null" to HCL null.
• Fixed VPC module force_destroy from string "true" to boolean true.
• Fixed missing semicolons throughout terraform.sh for style consistency.
• Fixed lockfile variable quoting in conditional test.

CHORES:

• Removed dead code: data.aws_iam_policy_document.default_assumerole from
  bootstrap (never referenced).
• Removed duplicate data.aws_iam_policy_document.xray from lambda module
  (functionality already in lambda_core.tf).
• Removed committed state files from bootstrap directory.
• Renamed module.s3bucket_other.tf to module.s3bucket_bestpractice.tf to
  match the module name it declares.
• Replaced TODO comment on cognito SNS policy with explanation of why
  sns:Publish on * is required for Cognito MFA/SMS.
• Regenerated all terraform-docs README files.
• Added vim modelines to all shell scripts.

SECURITY:

• Updated esbuild from 0.24.0 to ^0.25.0 (CVE: dev server request forgery,
  medium severity).
• Updated undici from 6.21.0 to >=6.21.1 (CVE: insufficiently random values,
  medium severity).

Full Changelog: v2.0.1...v2.3.0

v2.0.1

2.0.1 (12/02/2025)

• Updated included modules to follow new standard and include other generics

Full Changelog: v2.0.0...v2.0.1

v2.0.0

2.0.0 (02/12/2024)

BREAKING CHANGES:

• It is now possible, with a validation check, to destroy the bootstrap.
• Bootstrap and the example component have been completely rewritten.
• .terraform and backend_tfscaffold.tf no longer removed during bootstrap cleanup
• Bootstrap and examples now configured to use terraform >= 1.10.0.
• Bootstrap and examples now require terraform > 1.0.0.
• Bootstrap and examples now require AWS Provider ~> 5.79.0.
• tfscaffold tagging default have changed to prefix tag keys with tfscaffold:

FEATURES:

• Bootstraps can now be fully and cleanly destroyed, however only interactively,
  requiring a manual text input to confirm.
• A DynamoDB lock table has been added to Bootstrap.
• Bootstrap now uses AWS Provider v4+ S3 Bucket property resources instead
  of declaring all configuration in a single bucket resource.
• The example component has been rewritten to reflect modern naming standards,
  and idempotency structures.
• An example module has been added, which is called from the example component.
• Example region changed to eu-west-2.
• bin/docs.sh has been added to recursively apply terraform-docs
  (https://github.com/terraform-docs/terraform-docs) to all directories beneath
  the project root that contain a variables.tf file.
• Remove unnecessary compatability log entry for auto-approve.
• Remove unnecessary non-current version transitions from the bootstrap bucket.

BUG FIXES:

• Do not write .terraform.output.json after a destroy.
• -compact-warnings is no longer passed to terraform init

CHORES:

• .gitignore updated

Full Changelog: v1.10.2...v2.0.0

v1.10.2

1.10.2 (02/12/2024)

BUG FIXES:

• Correct terraform.output.json to .terraform.output.json

Full Changelog: v1.10.1...v1.10.2

v1.10.1

1.10.1 (02/12/2024)

BUG FIXES:

• Add **/terraform.output.json to the default .gitignore

Full Changelog: v1.10.0...v1.10.1

v1.10.0

1.10.0 (02/12/2024)

FEATURES:

• Apply/Refresh/Destroy actions now output a terraform.output.json file containing
  the contents of terraform output -json -no-color. On by default, can be disabled.
• Ignore -w/--compact-warnings for commands that don't support it so the user
  can specify it all the time without worrying which commands support it.

BUG FIXES:

• Fix plugin-cache base directory from $(pwd) to ${base_path} so it is correctly
  located if terraform.sh is invoked from somewhere other than the project root.

CHORES:

• Fix inappropriate double-quoting of non-interpolated strings.

Full Changelog: v1.9.1...v1.10.0

v1.9.1

1.9.1 (06/09/2024)

BUG FIXES:

• Correct selection of lockfile_or_upgrade, thanks to @edmundcraske-bjss

Full Changelog: v1.9.0...v1.9.1